Malware detection by signature can be achieved in several ways :
- Comparison with a known malware
hash(sha256, sha512, md5, ...)
- The program matches multiple conditions or "rules" (like Yara rules)
- Looking for strings, regex, opcodes sequence
- Comparaison of imports table
- Hashes small sections of the file to check against the database
The potentially malicious program is run in a
sandbox and its behaviour is analysed.
List of well-known
sandbox : any.run, cuckoo, joe sandbox, ...
The purpose of the sandbox is to detect malicious behaviour, like :
- Unpacking of malicious code
- Modifying configuration files or Windows registry
- Observing key strokes
- Spawning subprocess like
- Data exfiltration
- Attempting to persist on the host
AMSI - Anti-Malware Scan Interface
AMSI is essentially a feature of Windows that scans scripts as they enter memory. It doesn't actually check the scripts itself, but it does provide hooks for AV publishers to use -- essentially allowing existing antivirus software to obtain a copy of the script being executed, scan it, and decide whether or not it's safe to execute.